Risk Register is a tool that we use in the risk management process. It is nothing but a repository or a simple table that lists all identified risks and related information about each listed risk. There are many different tools that can act as risk registers from comprehensive GRC and…

1. Cardholder Data Environment Finding where PCI DSS controls/safeguards are required and which system needs to be protected are the principal keys of success in executing PCI DSS compliance. Many organizations still have problems to figure out which systems are in PCI DSS scope and which systems are not. …

Introduction 23 NYCRR 500 aka NYDFS Cybersecurity Regulation is a set of regulations from the New York Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. Banks, insurance companies, and companies that do business in New York must now assess their cyber risks, implement a…

In general, attestation means approval and providing evidence that something is true. In Identity and Access Management (IAM), Access Attestation is an ongoing review and confirmation process that helps out organization reduces risk by granting users the right access to data, systems and/or applications, evaluating the risk associated with that…

SOC 2 is one of the more common compliance requirements that tech companies should meet today to be competitive in the market. SOC stands for Service and Organization Controls, is introduced by AICPA and is based on the Trust Services Criteria (explained later). Each Trust Services Criteria (TSC) is divided…

I was recently asked as a Subject Matter Expert (SME) for determining a maturity level on PCI DSS program for a business. …

Surveys of IT leaders find that security certifications are increasingly important in today’s enterprise environments. The two most popular certification issuers that are recognized widely in infosec industry are ISC2 (which issues CISSP, CCSP, SSCP, …) and ISACA (which is famous for its CISA, CISM and CRISC). …

List of all documents that we have to prepare based on PCI DSS 3.2.1: Security policy Risk assessment and risk analysis process Diagram or a documented inventory of cardholder data locations Up-to-date list of devices and system components that are in scope for PCI DSS Current network diagram that identifies…

PCI DSS is an information security standard for organizations and companies that handle credit cards from Visa, MasterCard, American Express, Discover and JCB. PCI DSS is mandated by the card brands and administered by a council called Payment Card Industry Security Standards Council. PCI DSS is designed to put some…